Coordinated Disclosure Timeline
- 2022-05-12: Report sent to email@example.com
- 2022-06-12: Reminder sent to firstname.lastname@example.org and email@example.com
- 2022-10-10: Reminder sent to firstname.lastname@example.org and email@example.com
- 2022-10-14: Extended deadline since the fix is being addressed
- 2022-11-21: Fix merged
codex-team/editor.js is vulnerable to XSS attacks when copy/pasting specially crafted input into the editor.
Issue: XSS copy/pasting HTML in the editor (
processHTML method is passing pasted input into
- Open https://cdn.sekurak.pl/copy-paste/playground.html in your browser, enter
<img src='foo' onerror='alert(123)'/>in the HTML Input box.
Copy as HTML.
- Open https://editorjs.io/ in your browser.
- Paste the content you copied in  into the editor.
This issue was discovered by CodeQL team members @kaeluka (Stephan Brandauer) and @erik-krogh (Erik Krogh Kristensen), using a CodeQL query originally contributed by community member @bananabr (Daniel Santos).
You can contact the GHSL team at
firstname.lastname@example.org, please include a reference to
GHSL-2022-028 in any communication regarding this issue.
GitHub Security Advisories
We recommend you create a private GitHub Security Advisory for these findings. This also allows you to invite the GHSL team to collaborate and further discuss these findings in private before they are published.